{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24551", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:31:51.715Z", "datePublished": "2026-01-23T14:28:53.243Z", "dateUpdated": "2026-04-28T16:14:49.243Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "monetag-official", "product": "Monetag Official Plugin", "vendor": "monetagwp", "versions": [{"lessThanOrEqual": "1.1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:55.222Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in monetagwp Monetag Official Plugin monetag-official allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Monetag Official Plugin: from n/a through <= 1.1.3.</p>"}], "value": "Missing Authorization vulnerability in monetagwp Monetag Official Plugin monetag-official allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Monetag Official Plugin: from n/a through <= 1.1.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:49.243Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/monetag-official/vulnerability/wordpress-monetag-official-plugin-plugin-1-1-3-broken-access-control-vulnerability-2?_s_id=cve"}], "title": "WordPress Monetag Official Plugin plugin <= 1.1.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T18:09:52.955089Z", "id": "CVE-2026-24551", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:22:14.120Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24551", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T18:09:52.955089Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:09:49.004Z"}}], "cna": {"title": "WordPress Monetag Official Plugin plugin <= 1.1.3 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "monetagwp", "product": "Monetag Official Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1.3"}], "packageName": "monetag-official", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:55.222Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/monetag-official/vulnerability/wordpress-monetag-official-plugin-plugin-1-1-3-broken-access-control-vulnerability-2?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in monetagwp Monetag Official Plugin monetag-official allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Monetag Official Plugin: from n/a through <= 1.1.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in monetagwp Monetag Official Plugin monetag-official allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Monetag Official Plugin: from n/a through <= 1.1.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:06.240Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24551", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:22:14.120Z", "dateReserved": "2026-01-23T12:31:51.715Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:53.243Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in monetagwp Monetag Official Plugin monetag-official allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Monetag Official Plugin: from n/a through <= 1.1.3."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorizaci\u00f3n en el plugin oficial de Monetag monetagwp monetag-official permite explotar niveles de seguridad de control de acceso incorrectamente configurados. Este problema afecta al plugin oficial de Monetag: desde n/d hasta &lt;= 1.1.3."}], "id": "CVE-2026-24551", "lastModified": "2026-04-28T15:16:13.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:11.717", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/monetag-official/vulnerability/wordpress-monetag-official-plugin-plugin-1-1-3-broken-access-control-vulnerability-2?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:46:56.922401+00:00", "value": {"mitigation_remediation": ["Upgrade Monetag Official Plugin to a version newer than 1.1.3 once it becomes available.", "If an upgrade cannot be performed immediately, restrict access to the plugin\u2019s administrative URLs by applying role\u2011based access controls or web\u2011server authentication such as .htaccess restrictions.", "Deploy a web application firewall rule that inspects requests to the plugin\u2019s endpoints and blocks unauthenticated or unauthorized traffic.", "Conduct a security review of the plugin\u2019s endpoints to verify that all actions enforce the necessary authorization checks before execution."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access due to Missing Authorization"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Monetag Official Plugin, branded as monetagwp:Monetag Official Plugin, with affected versions from the initial release up through 1.1.3. No higher\u2011than\u20116\u2011digit versioning is mentioned, and all releases prior to or equal to 1.1.3 contain the flaw.", "description_and_impact": "Missing Authorization in Monetag Official Plugin versions through 1.1.3 allows an attacker to exploit incorrectly configured access control security levels. The vulnerability means that requests can be processed without the required authorization checks, enabling actions that should be restricted. The weakness is classified as CWE\u2011862: Lack of Security Controls for Unauthorized Access. The CVE score of 5.4 places the risk in a moderate category, indicating that while exploitation is not trivial, the potential impact on confidentiality, integrity or availability is non\u2011negligible if the plugin is exposed to the public web.", "risk_and_exploitability": "The CVSS score indicates moderate severity, and the EPSS of less than 1% suggests a low probability of existing exploitation, though no reported exploits exist in the KEV catalog. The vulnerability is exploitable by users who can send crafted HTTP requests to any endpoint within the plugin that lacks proper authorization checks. An attacker could gain unauthorized access to the plugin\u2019s administrative interface or any backend actions, potentially reading or modifying data stored by the plugin. As the flaw is in access control logic, it can be leveraged without needing additional privileges or exploiting other vulnerabilities in the environment."}}}}, "created": "2026-01-26T11:53:01.190003+00:00", "updated": "2026-04-16T02:00:12.320026+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}